The recent disclosure by Google, Adobe and other companies that their networks had been thoroughly compromised by attackers who may have been after their source code has prompted a tremendous amount of discourse both in the security community and in the general public about the political and commercial implications of the attacks. But the fact of the matter is that the attacks themselves were neither remotely unique nor particularly clever. And that is what should be worrying lawmakers, corporate security specialists and anyone else with some skin in the game.
From all of the publicly available information, it looks like Google, Adobe and at least some of the other unnamed victims of the Aurora attacks were compromised by what amounts to a relatively pedestrian phishing attack. Security researchers have said that the attackers sent emails and instant messages to specifically targeted employees at Google. When the recipients clicked on the links in the messages, it started a chain reaction that exploited a previously unknown vulnerability in Internet Explorer and installed malware on the user’s PC. From then on, it was open season for the attackers, who had several footholds on Google’s network and leveraged them to gain access to more sensitive systems.
Which part of that sounds sophisticated?
Really, the only interesting thing is that the attackers used an unknown IE flaw, and even that’s stretching the definition of “interesting.” Security researchers have been saying for years now that attackers are using zero days as a matter of course. They buy and sell exploits for vulnerabilities that Microsoft, Adobe, Oracle and other software makers have never heard of, use them until they’re burned and then move on to the next one. And it’s not just intelligence agencies or state-sponsored groups who operate on this level; it’s simply the way things work now. One researcher called the use of zero days a “baseline.”
This is not The New New Thing, or even The somewhat new thing. It’s Attacking 101 now, and while the federal government and others scramble to understand the threat, the attackers are moving on to other techniques and strategies, secure in the knowledge that they’re several steps ahead.
It’s not difficult to find the parallels between the current uproar over advanced persistent threats (read: custom malware) and the fight against terrorism. In the years leading up to the 9/11 attacks, intelligence officials ignored warnings about the growing threat of loosely connected terrorist groups gaining strength in Afghanistan, Yemen and elsewhere who were planning to attack the United States. After the attacks, the government spent billions of dollars protecting against the techniques the 9/11 attackers used and reacting to each new attack (shoe bombs, liquid/gel bombs, Underoos bombs) in similar fashion, always playing catch-up.
That’s a pretty good outline of what’s been happening in parts of the security community and in Washington in the years before the Google attack and in the weeks since it became public. A lot of people–including me–have had a lot of fun at the expense of Richard Clarke for constantly trotting out the “digital Pearl Harbor” bogeyman to illustrate the weakness of the country’s network defenses and the dire need for more money and research on information security. But while that phrase itself still rings false, the idea behind it does not.
The Google attack is not the sort of huge, national-level event that Clarke was constantly on about, and hopefully there won’t ever be one on that scale. What the Aurora attack is, however, is the public face of a threat that has been hidden from most people’s view for far too long. It’s the common, albeit cleverly targeted, attack that is going on every day on networks around the world.
It’s the new normal.